Back to overview

CVE-2026-52891

CRITICAL
9.9
CVSS 3.1
Description
Wekan is open source kanban built with Meteor. Prior to 9.07, Wekan avatar upload functionality embeds user-supplied filenames into paths later passed to child_process.exec() for MIME-type detection. Because models/avatars.js and models/fileValidation.js used a shell command with the avatar filename, shell metacharacters such as backticks and $() in the filename could execute commands on the server. This issue is fixed in version 9.07.

Metadata

CVE ID
CVE-2026-52891
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-08 21:44 UTC
Published
2026-07-15 21:08 UTC
Last updated
2026-07-15 21:08 UTC
Primary CWE
CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product
wekan / wekan
Sources
cve.org  ·  NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
wekan wekan < 9.07
Weakness (CWE)
CWESourceDescription
CWE-78 cna CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88 cna CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.9 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References (3)
Back to overview